import rhel-system-roles-1.20.1-1.el8

This commit is contained in:
CentOS Sources 2022-11-08 01:42:25 -05:00 committed by Stepan Oksanichenko
parent ac44374ec7
commit c20a826a95
10 changed files with 1044 additions and 882 deletions

46
.gitignore vendored
View File

@ -1,23 +1,23 @@
SOURCES/ansible-posix-1.3.0.tar.gz
SOURCES/ansible-sshd-214df35c0bee77b5d69f49c2da269251d451b28f.tar.gz
SOURCES/auto-maintenance-5e7bb389fc5e93184871b3907e75ba896874dc21.tar.gz
SOURCES/certificate-1.1.3.tar.gz
SOURCES/cockpit-1.2.1.tar.gz
SOURCES/community-general-4.6.0.tar.gz
SOURCES/crypto_policies-1.2.3.tar.gz
SOURCES/firewall-1.1.0.tar.gz
SOURCES/ha_cluster-1.4.1.tar.gz
SOURCES/kdump-1.2.2.tar.gz
SOURCES/kernel_settings-1.1.6.tar.gz
SOURCES/logging-1.8.1.tar.gz
SOURCES/metrics-1.5.1.tar.gz
SOURCES/nbde_client-1.2.2.tar.gz
SOURCES/nbde_server-1.1.2.tar.gz
SOURCES/network-1.7.1.tar.gz
SOURCES/postfix-1.2.0.tar.gz
SOURCES/selinux-1.3.4.tar.gz
SOURCES/ssh-1.1.4.tar.gz
SOURCES/storage-1.7.0.tar.gz
SOURCES/timesync-1.6.6.tar.gz
SOURCES/tlog-1.2.6.tar.gz
SOURCES/vpn-1.3.2.tar.gz
SOURCES/ansible-posix-1.4.0.tar.gz
SOURCES/ansible-sshd-9766d9097a87a130d4c8abde2247aaad5c925ecf.tar.gz
SOURCES/auto-maintenance-c22eff88d40972158cd5c413b7468b4e904cc76c.tar.gz
SOURCES/certificate-1.1.6.tar.gz
SOURCES/cockpit-1.3.0.tar.gz
SOURCES/community-general-5.4.0.tar.gz
SOURCES/crypto_policies-1.2.6.tar.gz
SOURCES/firewall-1.4.0.tar.gz
SOURCES/ha_cluster-1.7.4.tar.gz
SOURCES/kdump-1.2.5.tar.gz
SOURCES/kernel_settings-1.1.10.tar.gz
SOURCES/logging-1.10.0.tar.gz
SOURCES/metrics-1.7.3.tar.gz
SOURCES/nbde_client-1.2.6.tar.gz
SOURCES/nbde_server-1.1.5.tar.gz
SOURCES/network-1.9.1.tar.gz
SOURCES/postfix-1.2.4.tar.gz
SOURCES/selinux-1.4.0.tar.gz
SOURCES/ssh-1.1.9.tar.gz
SOURCES/storage-1.9.1.tar.gz
SOURCES/timesync-1.6.9.tar.gz
SOURCES/tlog-1.2.9.tar.gz
SOURCES/vpn-1.3.5.tar.gz

View File

@ -1,23 +1,23 @@
d2d2382c38eaf34d2295aba2aa4652d75ebbaeef SOURCES/ansible-posix-1.3.0.tar.gz
a4d4556cf6628e87fa62dec6c46099338b499930 SOURCES/ansible-sshd-214df35c0bee77b5d69f49c2da269251d451b28f.tar.gz
a2ec14498a7fd213f08dd24ca139039c958b07fd SOURCES/auto-maintenance-5e7bb389fc5e93184871b3907e75ba896874dc21.tar.gz
cee41b5fd6359e9ddeb83c5af7b8057fef6b2334 SOURCES/certificate-1.1.3.tar.gz
004064268df0e7dd154331b7799272d3277388d4 SOURCES/cockpit-1.2.1.tar.gz
ad8684050c86bad7ce4882a84e14be6867a56d8d SOURCES/community-general-4.6.0.tar.gz
0684c1335923ba8ebbb05afbd507e5ff31f874d6 SOURCES/crypto_policies-1.2.3.tar.gz
fcb8d48ccaeba886859ce6afd3d14bbb3f8a5667 SOURCES/firewall-1.1.0.tar.gz
9a990a4908bdf3269bce4f214907623780a5e221 SOURCES/ha_cluster-1.4.1.tar.gz
a1c9c89dea1dbe2410465c29ad0e1d3637ac5f52 SOURCES/kdump-1.2.2.tar.gz
0a681d1e3b236c4750d663f2a833e786a5e958ab SOURCES/kernel_settings-1.1.6.tar.gz
e530528ba5f9478cc8604aa6612388ea8e5078af SOURCES/logging-1.8.1.tar.gz
430ce63a7b45b97305e4f8591192fa7e58af8292 SOURCES/metrics-1.5.1.tar.gz
0424321322eb4d80560a8d2d9fee406296728463 SOURCES/nbde_client-1.2.2.tar.gz
33f0a3ea008021e69b2bbd7b25f6536f91e7613d SOURCES/nbde_server-1.1.2.tar.gz
dcd2261fe6b6a998aca3eb6c968204152e2ffd51 SOURCES/network-1.7.1.tar.gz
95c54da9ef5acaae9553f2c4ed250452502ab9e0 SOURCES/postfix-1.2.0.tar.gz
4e5c5216814577ee55304721e5c811ed8857efbc SOURCES/selinux-1.3.4.tar.gz
f38972c4b22a9f226b58725c7e9ba8fac692bba2 SOURCES/ssh-1.1.4.tar.gz
0728b4e01261f84ce470431a4ea21907db75f26a SOURCES/storage-1.7.0.tar.gz
0bd118c9df9bf556a76d42c92bde11fde5553eba SOURCES/timesync-1.6.6.tar.gz
d10a0dd866c1ce982d2ba22500718df3fb2ab766 SOURCES/tlog-1.2.6.tar.gz
d1bb00636c04bc1b2d94ce0e491afe9ef921cd56 SOURCES/vpn-1.3.2.tar.gz
bca451fd997be80be30f106e49f1bf550d2e609c SOURCES/ansible-posix-1.4.0.tar.gz
c47e62ecf6502d952378206626ba66e456a73513 SOURCES/ansible-sshd-9766d9097a87a130d4c8abde2247aaad5c925ecf.tar.gz
453a44d1259addc4f702ea79da7b810b420e21f1 SOURCES/auto-maintenance-c22eff88d40972158cd5c413b7468b4e904cc76c.tar.gz
25e2045c8fc9d6455d7c5b0c7d32d4976ebc5178 SOURCES/certificate-1.1.6.tar.gz
77b34cce8b416fec3a50900b47cbe6b8216e3036 SOURCES/cockpit-1.3.0.tar.gz
58f117fafe36a19425b3a9bc0ba69f33e5fa81ee SOURCES/community-general-5.4.0.tar.gz
56bc0763e0b549c3499a80e95d0953ee6769136a SOURCES/crypto_policies-1.2.6.tar.gz
4ee58deb2a514edd81dbcc56508be4ca9fd49089 SOURCES/firewall-1.4.0.tar.gz
6ac7fbfa996fd4425415601d28e5b7b0790682ae SOURCES/ha_cluster-1.7.4.tar.gz
6ae0614d51db00957943fad6967674c0de88862c SOURCES/kdump-1.2.5.tar.gz
17f28f701d7842499b232a7b28daae5f51ea631b SOURCES/kernel_settings-1.1.10.tar.gz
042ba1183db4d36742a21c92111d68415c7c951a SOURCES/logging-1.10.0.tar.gz
4ebbf457b9f0d767d19b7ef322b848e5e4da50ef SOURCES/metrics-1.7.3.tar.gz
80baf489aea9052ad11c84df7a6adfca75ce7a7b SOURCES/nbde_client-1.2.6.tar.gz
2e2ad1b455da8c0a198524a08ffe16f2c954f131 SOURCES/nbde_server-1.1.5.tar.gz
cb01d5d59afdf4f514de5fda2220ea8271ecb699 SOURCES/network-1.9.1.tar.gz
4a31ac4e7d4de65c2a74cfc6f3c4ff852d5a578c SOURCES/postfix-1.2.4.tar.gz
a54aee1fa1b0ee023e4168d0abe880ad6ea64dcb SOURCES/selinux-1.4.0.tar.gz
fcdbd369bcc41df028f842e49ebff28370d3adb4 SOURCES/ssh-1.1.9.tar.gz
10b9bf8f3b16fc99d6070af6dbf82f9f889a8ff6 SOURCES/storage-1.9.1.tar.gz
c0af2701a0f8db1d721bf6df4ba257888be0fe87 SOURCES/timesync-1.6.9.tar.gz
53fd0059c1da4c42228a9c0df592a96cd5a5060f SOURCES/tlog-1.2.9.tar.gz
ec3e9a88af360861ea3ef4be92fbb6776690272d SOURCES/vpn-1.3.5.tar.gz

View File

@ -0,0 +1,79 @@
From 1bda31d2d07ed9042b09b0596904dd4f317d8f48 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Mon, 26 Sep 2022 20:20:47 +0200
Subject: [PATCH] Add final version of the option RequiredRSASize (#53)
* Update source template to match generated template
* Add final name of the RequiredRSASize parameter
keeping the old version for backward compatibility.
Upstream commit:
https://github.com/openssh/openssh-portable/commit/54b333d1
---
.dev-tools/10_top.j2 | 4 ++--
.dev-tools/options_body | 1 +
templates/ssh_config.j2 | 3 +++
3 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/.dev-tools/10_top.j2 b/.dev-tools/10_top.j2
index 99704bd..8411de8 100644
--- a/.dev-tools/10_top.j2
+++ b/.dev-tools/10_top.j2
@@ -7,10 +7,10 @@
{% elif value is sameas false %}
{{ key }} no
{% elif value is string or value is number %}
-{{ key }} {{ value }}
+{{ key }} {{ value | string }}
{% else %}
{% for i in value %}
-{{ key }} {{ i }}
+{{ key }} {{ i | string }}
{% endfor %}
{% endif %}
{% endif %}
diff --git a/.dev-tools/options_body b/.dev-tools/options_body
index 176879d..8cc382f 100644
--- a/.dev-tools/options_body
+++ b/.dev-tools/options_body
@@ -84,6 +84,7 @@ RekeyLimit
RemoteCommand
RemoteForward
RequestTTY
+RequiredRSASize
RevokedHostKeys
RhostsRSAAuthentication
RSAAuthentication
diff --git a/templates/ssh_config.j2 b/templates/ssh_config.j2
index fab57de..7f277c7 100644
--- a/templates/ssh_config.j2
+++ b/templates/ssh_config.j2
@@ -119,6 +119,7 @@ Match {{ match["Condition"] }}
{{ render_option("RemoteCommand",match["RemoteCommand"],true) -}}
{{ render_option("RemoteForward",match["RemoteForward"],true) -}}
{{ render_option("RequestTTY",match["RequestTTY"],true) -}}
+{{ render_option("RequiredRSASize",match["RequiredRSASize"],true) -}}
{{ render_option("RevokedHostKeys",match["RevokedHostKeys"],true) -}}
{{ render_option("RhostsRSAAuthentication",match["RhostsRSAAuthentication"],true) -}}
{{ render_option("RSAAuthentication",match["RSAAuthentication"],true) -}}
@@ -240,6 +241,7 @@ Host {{ host["Condition"] }}
{{ render_option("RemoteCommand",host["RemoteCommand"],true) -}}
{{ render_option("RemoteForward",host["RemoteForward"],true) -}}
{{ render_option("RequestTTY",host["RequestTTY"],true) -}}
+{{ render_option("RequiredRSASize",host["RequiredRSASize"],true) -}}
{{ render_option("RevokedHostKeys",host["RevokedHostKeys"],true) -}}
{{ render_option("RhostsRSAAuthentication",host["RhostsRSAAuthentication"],true) -}}
{{ render_option("RSAAuthentication",host["RSAAuthentication"],true) -}}
@@ -354,6 +356,7 @@ Host {{ host["Condition"] }}
{{ body_option("RemoteCommand",ssh_RemoteCommand) -}}
{{ body_option("RemoteForward",ssh_RemoteForward) -}}
{{ body_option("RequestTTY",ssh_RequestTTY) -}}
+{{ body_option("RequiredRSASize",ssh_RequiredRSASize) -}}
{{ body_option("RevokedHostKeys",ssh_RevokedHostKeys) -}}
{{ body_option("RhostsRSAAuthentication",ssh_RhostsRSAAuthentication) -}}
{{ body_option("RSAAuthentication",ssh_RSAAuthentication) -}}
--
2.37.3

View File

@ -0,0 +1,83 @@
From 1408f489240dca04f086e4b32b253313eea28ea8 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Mon, 26 Sep 2022 15:26:12 +0200
Subject: [PATCH] Add final version of RequiredRSASize
Keep the old version for backward compatibility
Upstream commit:
https://github.com/openssh/openssh-portable/commit/1875042c
---
meta/options_body | 1 +
meta/options_match | 1 +
templates/sshd_config.j2 | 2 ++
templates/sshd_config_snippet.j2 | 2 ++
4 files changed, 6 insertions(+)
diff --git a/meta/options_body b/meta/options_body
index 8681269..23a00f4 100644
--- a/meta/options_body
+++ b/meta/options_body
@@ -89,6 +89,7 @@ PubkeyAuthentication
RSAAuthentication
RSAMinSize
RekeyLimit
+RequiredRSASize
RevokedKeys
RDomain
RhostsRSAAuthentication
diff --git a/meta/options_match b/meta/options_match
index 6ef9214..5ec1413 100644
--- a/meta/options_match
+++ b/meta/options_match
@@ -47,6 +47,7 @@ PubkeyAuthentication
RDomain
RekeyLimit
RevokedKeys
+RequiredRSASize
RhostsRSAAuthentication
RSAAuthentication
RSAMinSize
diff --git a/templates/sshd_config.j2 b/templates/sshd_config.j2
index 2899f0a..a3b2465 100644
--- a/templates/sshd_config.j2
+++ b/templates/sshd_config.j2
@@ -89,6 +89,7 @@ Match {{ match["Condition"] }}
{{ render_option("RDomain",match["RDomain"],true) -}}
{{ render_option("RekeyLimit",match["RekeyLimit"],true) -}}
{{ render_option("RevokedKeys",match["RevokedKeys"],true) -}}
+{{ render_option("RequiredRSASize",match["RequiredRSASize"],true) -}}
{{ render_option("RhostsRSAAuthentication",match["RhostsRSAAuthentication"],true) -}}
{{ render_option("RSAAuthentication",match["RSAAuthentication"],true) -}}
{{ render_option("RSAMinSize",match["RSAMinSize"],true) -}}
@@ -203,6 +204,7 @@ Match {{ match["Condition"] }}
{{ body_option("RSAAuthentication",sshd_RSAAuthentication) -}}
{{ body_option("RSAMinSize",sshd_RSAMinSize) -}}
{{ body_option("RekeyLimit",sshd_RekeyLimit) -}}
+{{ body_option("RequiredRSASize",sshd_RequiredRSASize) -}}
{{ body_option("RevokedKeys",sshd_RevokedKeys) -}}
{{ body_option("RDomain",sshd_RDomain) -}}
{{ body_option("RhostsRSAAuthentication",sshd_RhostsRSAAuthentication) -}}
diff --git a/templates/sshd_config_snippet.j2 b/templates/sshd_config_snippet.j2
index 0ece8ed..a12cb3b 100644
--- a/templates/sshd_config_snippet.j2
+++ b/templates/sshd_config_snippet.j2
@@ -88,6 +88,7 @@ Match {{ match["Condition"] }}
{{ render_option("RDomain",match["RDomain"],true) -}}
{{ render_option("RekeyLimit",match["RekeyLimit"],true) -}}
{{ render_option("RevokedKeys",match["RevokedKeys"],true) -}}
+{{ render_option("RequiredRSASize",match["RequiredRSASize"],true) -}}
{{ render_option("RhostsRSAAuthentication",match["RhostsRSAAuthentication"],true) -}}
{{ render_option("RSAAuthentication",match["RSAAuthentication"],true) -}}
{{ render_option("RSAMinSize",match["RSAMinSize"],true) -}}
@@ -202,6 +203,7 @@ Match {{ match["Condition"] }}
{{ body_option("RSAAuthentication",sshd_RSAAuthentication) -}}
{{ body_option("RSAMinSize",sshd_RSAMinSize) -}}
{{ body_option("RekeyLimit",sshd_RekeyLimit) -}}
+{{ body_option("RequiredRSASize",sshd_RequiredRSASize) -}}
{{ body_option("RevokedKeys",sshd_RevokedKeys) -}}
{{ body_option("RDomain",sshd_RDomain) -}}
{{ body_option("RhostsRSAAuthentication",sshd_RhostsRSAAuthentication) -}}
--
2.37.3

View File

@ -1,151 +0,0 @@
From acb99e74a24fa07863c596fe59d2999adc28c249 Mon Sep 17 00:00:00 2001
From: Vojtech Trefny <vtrefny@redhat.com>
Date: Thu, 2 Jun 2022 15:18:19 +0200
Subject: [PATCH] LVM RAID raid0 level support (#272)
* Add workaround for missing LVM raid0 support in blivet
Blivet supports creating LVs with segment type "raid0" but it is
not in the list of supported RAID levels. This will be fixed in
blivet, see https://github.com/storaged-project/blivet/pull/1047
* Add a test for LVM RAID raid0 level
* README: Remove "striped" from the list of supported RAID for pools
We use MD RAID for RAIDs on the pool level which doesn't support
"striped" level.
* README: Clarify supported volume RAID levels
We support different levels for LVM RAID and MD RAID.
(cherry picked from commit 8b868a348155b08479743945aba88271121ad4b0)
---
README.md | 7 ++-
library/blivet.py | 7 +++
tests/tests_create_raid_pool_then_remove.yml | 54 ++++++++++++++++++++
3 files changed, 66 insertions(+), 2 deletions(-)
diff --git a/README.md b/README.md
index f8e3daa..bd123d7 100644
--- a/README.md
+++ b/README.md
@@ -54,7 +54,7 @@ device node basename (like `sda` or `mpathb`), /dev/disk/ symlink
##### `raid_level`
When used with `type: lvm` it manages a volume group with a mdraid array of given level
on it. Input `disks` are in this case used as RAID members.
-Accepted values are: `linear`, `striped`, `raid0`, `raid1`, `raid4`, `raid5`, `raid6`, `raid10`
+Accepted values are: `linear`, `raid0`, `raid1`, `raid4`, `raid5`, `raid6`, `raid10`
##### `volumes`
This is a list of volumes that belong to the current pool. It follows the
@@ -136,7 +136,10 @@ Specifies RAID level. LVM RAID can be created as well.
"Regular" RAID volume requires type to be `raid`.
LVM RAID needs that volume has `storage_pools` parent with type `lvm`,
`raid_disks` need to be specified as well.
-Accepted values are: `linear` (N/A for LVM RAID), `striped`, `raid0`, `raid1`, `raid4`, `raid5`, `raid6`, `raid10`
+Accepted values are:
+* for LVM RAID volume: `raid0`, `raid1`, `raid4`, `raid5`, `raid6`, `raid10`, `striped`, `mirror`
+* for RAID volume: `linear`, `raid0`, `raid1`, `raid4`, `raid5`, `raid6`, `raid10`
+
__WARNING__: Changing `raid_level` for a volume is a destructive operation, meaning
all data on that volume will be lost as part of the process of
removing old and adding new RAID. RAID reshaping is currently not
diff --git a/library/blivet.py b/library/blivet.py
index 29552fa..33c93b2 100644
--- a/library/blivet.py
+++ b/library/blivet.py
@@ -118,6 +118,7 @@ LIB_IMP_ERR = ""
try:
from blivet3 import Blivet
from blivet3.callbacks import callbacks
+ from blivet3 import devicelibs
from blivet3 import devices
from blivet3.deviceaction import ActionConfigureFormat
from blivet3.flags import flags as blivet_flags
@@ -132,6 +133,7 @@ except ImportError:
try:
from blivet import Blivet
from blivet.callbacks import callbacks
+ from blivet import devicelibs
from blivet import devices
from blivet.deviceaction import ActionConfigureFormat
from blivet.flags import flags as blivet_flags
@@ -152,6 +154,11 @@ if BLIVET_PACKAGE:
set_up_logging()
log = logging.getLogger(BLIVET_PACKAGE + ".ansible")
+ # XXX add support for LVM RAID raid0 level
+ devicelibs.lvm.raid_levels.add_raid_level(devicelibs.raid.RAID0)
+ if "raid0" not in devicelibs.lvm.raid_seg_types:
+ devicelibs.lvm.raid_seg_types.append("raid0")
+
MAX_TRIM_PERCENT = 2
diff --git a/tests/tests_create_raid_pool_then_remove.yml b/tests/tests_create_raid_pool_then_remove.yml
index d81680d..1fb4e15 100644
--- a/tests/tests_create_raid_pool_then_remove.yml
+++ b/tests/tests_create_raid_pool_then_remove.yml
@@ -150,3 +150,57 @@
raid_disks: "{{ [unused_disks[0], unused_disks[1]] }}"
- include_tasks: verify-role-results.yml
+
+ - name: Create a RAID0 lvm raid device
+ include_role:
+ name: linux-system-roles.storage
+ vars:
+ storage_pools:
+ - name: vg1
+ disks: "{{ unused_disks }}"
+ type: lvm
+ state: present
+ volumes:
+ - name: lv1
+ size: "{{ volume1_size }}"
+ mount_point: "{{ mount_location1 }}"
+ raid_disks: "{{ [unused_disks[0], unused_disks[1]] }}"
+ raid_level: raid0
+
+ - include_tasks: verify-role-results.yml
+
+ - name: Repeat the previous invocation to verify idempotence
+ include_role:
+ name: linux-system-roles.storage
+ vars:
+ storage_pools:
+ - name: vg1
+ disks: "{{ unused_disks }}"
+ type: lvm
+ state: present
+ volumes:
+ - name: lv1
+ size: "{{ volume1_size }}"
+ mount_point: "{{ mount_location1 }}"
+ raid_level: raid0
+ raid_disks: "{{ [unused_disks[0], unused_disks[1]] }}"
+
+ - include_tasks: verify-role-results.yml
+
+ - name: Remove the device created above
+ include_role:
+ name: linux-system-roles.storage
+ vars:
+ storage_pools:
+ - name: vg1
+ disks: "{{ unused_disks }}"
+ type: lvm
+ state: absent
+ volumes:
+ - name: lv1
+ size: "{{ volume1_size }}"
+ mount_point: "{{ mount_location1 }}"
+ raid_level: raid0
+ raid_disks: "{{ [unused_disks[0], unused_disks[1]] }}"
+
+ - include_tasks: verify-role-results.yml
--
2.35.3

View File

@ -1,192 +0,0 @@
From ba8a97039805f488c26b4d857f0137a349359c23 Mon Sep 17 00:00:00 2001
From: Richard Megginson <rmeggins@redhat.com>
Date: Mon, 16 May 2022 07:51:43 -0600
Subject: [PATCH] add support for mount_options (#270)
* add support for mount_options
When support for argument validation was added, that support did not
include the `mount_options` parameter. This fix adds back that
parameter. In addition, the volume module arguments are refactored
so that the common volume parameters such as `mount_options` can be
specified in one place.
This adds a test for the `mount_options` parameter, and adds
verification for that parameter.
* only checkout mount_options if requested
(cherry picked from commit ecf3d04bb704db5c1a095aaef40c2372fd45d4d6)
---
library/blivet.py | 78 ++++++++++++++----------------
tests/test-verify-volume-fstab.yml | 22 ++++++++-
tests/tests_misc.yml | 3 ++
3 files changed, 60 insertions(+), 43 deletions(-)
diff --git a/library/blivet.py b/library/blivet.py
index 80575bb..29552fa 100644
--- a/library/blivet.py
+++ b/library/blivet.py
@@ -105,6 +105,7 @@ volumes:
elements: dict
'''
+import copy
import logging
import os
import traceback
@@ -1500,6 +1501,39 @@ def activate_swaps(b, pools, volumes):
def run_module():
# available arguments/parameters that a user can pass
+ common_volume_opts = dict(encryption=dict(type='bool'),
+ encryption_cipher=dict(type='str'),
+ encryption_key=dict(type='str'),
+ encryption_key_size=dict(type='int'),
+ encryption_luks_version=dict(type='str'),
+ encryption_password=dict(type='str'),
+ fs_create_options=dict(type='str'),
+ fs_label=dict(type='str', default=''),
+ fs_type=dict(type='str'),
+ mount_options=dict(type='str'),
+ mount_point=dict(type='str'),
+ name=dict(type='str'),
+ raid_level=dict(type='str'),
+ size=dict(type='str'),
+ state=dict(type='str', default='present', choices=['present', 'absent']),
+ type=dict(type='str'))
+ volume_opts = copy.deepcopy(common_volume_opts)
+ volume_opts.update(
+ dict(disks=dict(type='list'),
+ raid_device_count=dict(type='int'),
+ raid_spare_count=dict(type='int'),
+ raid_metadata_version=dict(type='str')))
+ pool_volume_opts = copy.deepcopy(common_volume_opts)
+ pool_volume_opts.update(
+ dict(cached=dict(type='bool'),
+ cache_devices=dict(type='list', elements='str', default=list()),
+ cache_mode=dict(type='str'),
+ cache_size=dict(type='str'),
+ compression=dict(type='bool'),
+ deduplication=dict(type='bool'),
+ raid_disks=dict(type='list', elements='str', default=list()),
+ vdo_pool_size=dict(type='str')))
+
module_args = dict(
pools=dict(type='list', elements='dict',
options=dict(disks=dict(type='list', elements='str', default=list()),
@@ -1517,49 +1551,9 @@ def run_module():
state=dict(type='str', default='present', choices=['present', 'absent']),
type=dict(type='str'),
volumes=dict(type='list', elements='dict', default=list(),
- options=dict(cached=dict(type='bool'),
- cache_devices=dict(type='list', elements='str', default=list()),
- cache_mode=dict(type='str'),
- cache_size=dict(type='str'),
- compression=dict(type='bool'),
- deduplication=dict(type='bool'),
- encryption=dict(type='bool'),
- encryption_cipher=dict(type='str'),
- encryption_key=dict(type='str'),
- encryption_key_size=dict(type='int'),
- encryption_luks_version=dict(type='str'),
- encryption_password=dict(type='str'),
- fs_create_options=dict(type='str'),
- fs_label=dict(type='str', default=''),
- fs_type=dict(type='str'),
- mount_point=dict(type='str'),
- name=dict(type='str'),
- raid_disks=dict(type='list', elements='str', default=list()),
- raid_level=dict(type='str'),
- size=dict(type='str'),
- state=dict(type='str', default='present', choices=['present', 'absent']),
- type=dict(type='str'),
- vdo_pool_size=dict(type='str'))))),
+ options=pool_volume_opts))),
volumes=dict(type='list', elements='dict',
- options=dict(disks=dict(type='list'),
- encryption=dict(type='bool'),
- encryption_cipher=dict(type='str'),
- encryption_key=dict(type='str'),
- encryption_key_size=dict(type='int'),
- encryption_luks_version=dict(type='str'),
- encryption_password=dict(type='str'),
- fs_create_options=dict(type='str'),
- fs_label=dict(type='str', default=''),
- fs_type=dict(type='str'),
- mount_point=dict(type='str'),
- name=dict(type='str'),
- raid_level=dict(type='str'),
- raid_device_count=dict(type='int'),
- raid_spare_count=dict(type='int'),
- raid_metadata_version=dict(type='str'),
- size=dict(type='str'),
- state=dict(type='str', default='present', choices=['present', 'absent']),
- type=dict(type='str'))),
+ options=volume_opts),
packages_only=dict(type='bool', required=False, default=False),
disklabel_type=dict(type='str', required=False, default=None),
safe_mode=dict(type='bool', required=False, default=True),
diff --git a/tests/test-verify-volume-fstab.yml b/tests/test-verify-volume-fstab.yml
index 80d78f0..0091084 100644
--- a/tests/test-verify-volume-fstab.yml
+++ b/tests/test-verify-volume-fstab.yml
@@ -11,6 +11,15 @@
storage_test_fstab_expected_mount_point_matches: "{{ 1
if (_storage_test_volume_present and storage_test_volume.mount_point and storage_test_volume.mount_point.startswith('/'))
else 0 }}"
+ storage_test_fstab_mount_options_matches: "{{ storage_test_fstab.stdout_lines |
+ map('regex_search', ' ' + storage_test_volume.mount_point + ' .* ' + storage_test_volume.mount_options + ' +') |
+ select('string')|list if (
+ storage_test_volume.mount_options|d('none',true) != 'none'
+ and storage_test_volume.mount_point|d('none',true) != 'none'
+ ) else [] }}"
+ storage_test_fstab_expected_mount_options_matches: "{{ 1
+ if (_storage_test_volume_present and storage_test_volume.mount_options)
+ else 0 }}"
# device id
- name: Verify that the device identifier appears in /etc/fstab
@@ -26,7 +35,16 @@
msg: "Expected number ({{ storage_test_fstab_expected_mount_point_matches }}) of
entries with volume '{{ storage_test_volume.name }}' mount point not found in /etc/fstab."
-# todo: options
+# mount options
+- name: Verify mount_options
+ assert:
+ that: storage_test_fstab_mount_options_matches|length == storage_test_fstab_expected_mount_options_matches|int
+ msg: "Expected number ({{ storage_test_fstab_expected_mount_options_matches }}) of
+ entries with volume '{{ storage_test_volume.name }}' mount options not found in /etc/fstab."
+ when:
+ - __storage_verify_mount_options | d(false)
+ - "'mount_options' in storage_test_volume"
+ - "'mount_point' in storage_test_volume"
- name: Clean up variables
set_fact:
@@ -34,3 +52,5 @@
storage_test_fstab_mount_point_matches: null
storage_test_fstab_expected_id_matches: null
storage_test_fstab_expected_mount_point_matches: null
+ storage_test_fstab_mount_options_matches: null
+ storage_test_fstab_expected_mount_options_matches: null
diff --git a/tests/tests_misc.yml b/tests/tests_misc.yml
index 159c959..97c1627 100644
--- a/tests/tests_misc.yml
+++ b/tests/tests_misc.yml
@@ -189,8 +189,11 @@
fs_type: 'ext4'
fs_create_options: '-F'
mount_point: "{{ mount_location }}"
+ mount_options: rw,noatime,defaults
- include_tasks: verify-role-results.yml
+ vars:
+ __storage_verify_mount_options: true
- name: Remove the disk volume created above
include_role:
--
2.35.3

573
SOURCES/CHANGELOG.md Normal file
View File

@ -0,0 +1,573 @@
Changelog
=========
[1.20.1] - 2022-09-27
----------------------------
### New Features
- [ssh,sshd - Sync on final OpenSSH option name RequiredRSASize in ssh and sshd roles](https://bugzilla.redhat.com/show_bug.cgi?id=2129875)
### Bug Fixes
- none
[1.20.0] - 2022-08-09
----------------------------
### New Features
- [cockpit - Add customization of port](https://bugzilla.redhat.com/show_bug.cgi?id=2115159)
- [firewall - RFE: firewall-system-role: add ability to add interface to zone by PCI device ID](https://bugzilla.redhat.com/show_bug.cgi?id=2100939)
- [firewall - support for firewall_config - gather firewall facts](https://bugzilla.redhat.com/show_bug.cgi?id=2115160)
- [logging - [RFE] Support startmsg.regex and endmsg.regex in the files inputs](https://bugzilla.redhat.com/show_bug.cgi?id=2112143)
- [selinux - Added setting of seuser and selevel for completeness](https://bugzilla.redhat.com/show_bug.cgi?id=2115162)
### Bug Fixes
- [nbde_client - Sets proper spacing for parameter rd.neednet=1](https://bugzilla.redhat.com/show_bug.cgi?id=2115161)
- [network - fix IPRouteUtils.get_route_tables_mapping() to accept any whitespace sequence](https://bugzilla.redhat.com/show_bug.cgi?id=2115884)
- [ssh sshd - ssh, sshd: RSAMinSize parameter definition is missing](https://bugzilla.redhat.com/show_bug.cgi?id=2109997)
- [storage - [RHEL8] [WARNING]: The loop variable 'storage_test_volume' is already in use. You should set the `loop_var` value in the `loop_control` option for the task to something else to avoid variable collisions and unexpected behavior.](https://bugzilla.redhat.com/show_bug.cgi?id=2082391)
[1.19.3] - 2022-07-01
----------------------------
### New Features
- [firewall - support add/modify/delete services](https://bugzilla.redhat.com/show_bug.cgi?id=2100297)
- [network - [RFE] [network] Support managing the network through nmstate schema](https://bugzilla.redhat.com/show_bug.cgi?id=2100979)
- [storage - support for adding/removing disks to/from storage pools](https://bugzilla.redhat.com/show_bug.cgi?id=2066880)
- [storage - support for attaching cache volumes to existing volumes](https://bugzilla.redhat.com/show_bug.cgi?id=2066881)
### Bug Fixes
- [firewall - forward_port should accept list of string or list of dict](https://bugzilla.redhat.com/show_bug.cgi?id=2101607)
- [metrics - document minimum supported redis version required by rhel-system-roles](https://bugzilla.redhat.com/show_bug.cgi?id=2100285)
- [metrics - restart pmie, pmlogger if changed, do not wait for handler](https://bugzilla.redhat.com/show_bug.cgi?id=2100298)
[1.19.2] - 2022-06-15
----------------------------
### New Features
- [sshd - system role should be able to optionally manage /etc/ssh/sshd_config on RHEL 9](https://bugzilla.redhat.com/show_bug.cgi?id=2086935)
### Bug Fixes
- none
[1.19.1] - 2022-06-13
----------------------------
### New Features
- [storage - support for creating and managing LVM thin pools/LVs](https://bugzilla.redhat.com/show_bug.cgi?id=2066876)
- [All roles should support running with gather_facts: false](https://bugzilla.redhat.com/show_bug.cgi?id=2079008)
### Bug Fixes
- none
[1.19.0] - 2022-06-06
----------------------------
### New Features
- [storage - support for creating and managing LVM thin pools/LVs](https://bugzilla.redhat.com/show_bug.cgi?id=2066876)
- [firewall - state no longer required for masquerade and ICMP block inversion](https://bugzilla.redhat.com/show_bug.cgi?id=2093437)
### Bug Fixes
- [storage - role raid_level "striped" is not supported](https://bugzilla.redhat.com/show_bug.cgi?id=2083426)
[1.18.0] - 2022-05-26
----------------------------
### New Features
- [firewall - [Improvement] Allow System Role to reset to default Firewalld Settings](https://bugzilla.redhat.com/show_bug.cgi?id=2043009)
- [metrics - [RFE] add an option to the metrics role to enable postfix metric collection](https://bugzilla.redhat.com/show_bug.cgi?id=2079114)
- [network - Rework the infiniband support](https://bugzilla.redhat.com/show_bug.cgi?id=2086869)
- [sshd - system role should not assume that RHEL 9 /etc/ssh/sshd_config has "Include > /etc/ssh/sshd_config.d/*.conf"](https://bugzilla.redhat.com/show_bug.cgi?id=2086934)
- [sshd - system role should be able to optionally manage /etc/ssh/sshd_config on RHEL 9](https://bugzilla.redhat.com/show_bug.cgi?id=2086935)
### Bug Fixes
- [storage - role cannot set mount_options for volumes](https://bugzilla.redhat.com/show_bug.cgi?id=2083378)
[1.17.0] - 2022-04-25
----------------------------
### New Features
- [All roles should support running with gather_facts: false](https://bugzilla.redhat.com/show_bug.cgi?id=2079008)
- [ha_cluster - support advanced corosync configuration](https://bugzilla.redhat.com/show_bug.cgi?id=2065339)
- [ha_cluster - support SBD fencing](https://bugzilla.redhat.com/show_bug.cgi?id=2066868)
- [ha_cluster - add support for configuring bundle resources](https://bugzilla.redhat.com/show_bug.cgi?id=2073518)
- [logging - Logging - RFE - support template, severity and facility options](https://bugzilla.redhat.com/show_bug.cgi?id=2075116)
- [metrics - consistently use ansible_managed in configuration files managed by role [rhel-8.7.0]](https://bugzilla.redhat.com/show_bug.cgi?id=2065215)
- [metrics - [RFE] add an option to the metrics role to enable postfix metric collection](https://bugzilla.redhat.com/show_bug.cgi?id=2079114)
- [network - [RFE] Extend rhel-system-roles.network feature set to support routing rules](https://bugzilla.redhat.com/show_bug.cgi?id=1996731)
- [network - consistently use ansible_managed in configuration files managed by role [rhel-8.7.0]](https://bugzilla.redhat.com/show_bug.cgi?id=2065670)
- [postfix - consistently use ansible_managed in configuration files managed by role [rhel-8.7.0]](https://bugzilla.redhat.com/show_bug.cgi?id=2065216)
- [postfix - Postfix RHEL System Role should provide the ability to replace config and reset configuration back to default [rhel-8.7.0]](https://bugzilla.redhat.com/show_bug.cgi?id=2065218)
### Bug Fixes
- [firewall - Firewall system role Ansible deprecation warning related to "include"](https://bugzilla.redhat.com/show_bug.cgi?id=2078650)
- [kernel_settings - error configobj not found on RHEL 8.6 managed hosts [rhel-8.7.0]](https://bugzilla.redhat.com/show_bug.cgi?id=2060378)
- [metrics - Metrics role, with "metrics_from_mssql" option does not configure /var/lib/pcp/pmdas/mssql/mssql.conf on first run [rhel-8.7.0]](https://bugzilla.redhat.com/show_bug.cgi?id=2060377)
- [nbde_client - NBDE client system role does not support servers with static IP addresses [rhel-8.7.0]](https://bugzilla.redhat.com/show_bug.cgi?id=2071011)
- [network - bond: fix typo in supporting the infiniband ports in active-backup mode](https://bugzilla.redhat.com/show_bug.cgi?id=2064067)
- [sshd - FIPS mode detection in SSHD role is wrong](https://bugzilla.redhat.com/show_bug.cgi?id=2075338)
- [storage - RFE storage Less verbosity by default](https://bugzilla.redhat.com/show_bug.cgi?id=2056480)
- [tlog - Tlog role - Enabling session recording configuration does not work due to RHEL9 SSSD files provider default](https://bugzilla.redhat.com/show_bug.cgi?id=2072749)
[1.16.3] - 2022-04-07
----------------------------
### New Features
- none
### Bug Fixes
- [tlog - Tlog role - Enabling session recording configuration does not work due to RHEL9 SSSD files provider default](https://bugzilla.redhat.com/show_bug.cgi?id=2072749)
[1.16.2] - 2022-04-06
----------------------------
### New Features
- [nbde_client - NBDE client system role does not support servers with static IP addresses](https://bugzilla.redhat.com/show_bug.cgi?id=1985022)
### Bug Fixes
- none
[1.16.1] - 2022-03-29
----------------------------
### New Features
- [nbde_client - NBDE client system role does not support servers with static IP addresses](https://bugzilla.redhat.com/show_bug.cgi?id=1985022)
### Bug Fixes
- none
[1.16.0] - 2022-03-22
----------------------------
### New Features
- [network - consistently use ansible_managed in configuration files managed by role](https://bugzilla.redhat.com/show_bug.cgi?id=2057656)
- [metrics - consistently use ansible_managed in configuration files managed by role](https://bugzilla.redhat.com/show_bug.cgi?id=2057645)
- [postfix - consistently use ansible_managed in configuration files managed by role](https://bugzilla.redhat.com/show_bug.cgi?id=2057661)
- [postfix - Postfix RHEL System Role should provide the ability to replace config and reset configuration back to default](https://bugzilla.redhat.com/show_bug.cgi?id=2044657)
### Bug Fixes
- [network - bond: fix typo in supporting the infiniband ports in active-backup mode](https://bugzilla.redhat.com/show_bug.cgi?id=2064388)
[1.15.1] - 2022-03-03
----------------------------
### New Features
- none
### Bug Fixes
- [kernel_settings - error configobj not found on RHEL 8.6 managed hosts](https://bugzilla.redhat.com/show_bug.cgi?id=2058772)
- [timesync - timesync: basic-smoke test failure in timesync/tests_ntp.yml](https://bugzilla.redhat.com/show_bug.cgi?id=2058645)
[1.15.0] - 2022-03-01
----------------------------
### New Features
- [firewall - [RFE] - Firewall RHEL System Role should be able to set default zone](https://bugzilla.redhat.com/show_bug.cgi?id=2022458)
### Bug Fixes
- [metrics - Metrics role, with "metrics_from_mssql" option does not configure /var/lib/pcp/pmdas/mssql/mssql.conf on first run](https://bugzilla.redhat.com/show_bug.cgi?id=2058655)
- [firewall - ensure target changes take effect immediately](https://bugzilla.redhat.com/show_bug.cgi?id=2057172)
[1.14.0] - 2022-02-14
----------------------------
### New Features
- [network - [RFE] Add more bonding options to rhel-system-roles.network](https://bugzilla.redhat.com/show_bug.cgi?id=2008931)
- [certificate - should consistently use ansible_managed in hook scripts](https://bugzilla.redhat.com/show_bug.cgi?id=2054364)
- [tlog - consistently use ansible_managed in configuration files managed by role](https://bugzilla.redhat.com/show_bug.cgi?id=2054363)
- [vpn - consistently use ansible_managed in configuration files managed by role](https://bugzilla.redhat.com/show_bug.cgi?id=2054365)
### Bug Fixes
- [ha_cluster - set permissions for haclient group](https://bugzilla.redhat.com/show_bug.cgi?id=2049747)
[1.13.1] - 2022-02-08
----------------------------
### New Features
- none
### Bug Fixes
- [vpn - vpn: template error while templating string: no filter named 'vpn_ipaddr'](https://bugzilla.redhat.com/show_bug.cgi?id=2050341)
- [kdump - kdump: Unable to start service kdump: Job for kdump.service failed because the control process exited with error code.](https://bugzilla.redhat.com/show_bug.cgi?id=2052105)
[1.13.0] - 2022-02-01
----------------------------
### New Features
- [storage - RFE: Add support for RAID volumes (lvm-only)](https://bugzilla.redhat.com/show_bug.cgi?id=2016514)
- [storage - RFE: Add support for cached volumes (lvm-only)](https://bugzilla.redhat.com/show_bug.cgi?id=2016511)
- [nbde_client - NBDE client system role does not support servers with static IP addresses](https://bugzilla.redhat.com/show_bug.cgi?id=1985022)
- [ha_cluster - [RFE] ha_cluster - Support for creating resource constraints (Location, Ordering, etc.)](https://bugzilla.redhat.com/show_bug.cgi?id=2041635)
- [network - RFE: Support Routing Tables in static routes in Network Role](https://bugzilla.redhat.com/show_bug.cgi?id=2031521)
### Bug Fixes
- [metrics - role can't be re-run if the Grafana admin password has been changed](https://bugzilla.redhat.com/show_bug.cgi?id=1967321)
- [network - Failure to activate connection: nm-manager-error-quark: No suitable device found for this connection](https://bugzilla.redhat.com/show_bug.cgi?id=2034908)
- [network - Set DNS search setting only for enabled IP protocols](https://bugzilla.redhat.com/show_bug.cgi?id=2041627)
[1.12.0] - 2022-01-27
----------------------------
### New Features
- none
### Bug Fixes
- [logging - Logging role "logging_purge_confs" option not properly working](https://bugzilla.redhat.com/show_bug.cgi?id=2040812)
- [kernel_settings - role should use ansible_managed in its configuration file](https://bugzilla.redhat.com/show_bug.cgi?id=2047504)
[1.11.0] - 2022-01-20
----------------------------
### New Features
- [Support ansible-core 2.11+](https://bugzilla.redhat.com/show_bug.cgi?id=2012316)
- [cockpit - Please include "cockpit" role](https://bugzilla.redhat.com/show_bug.cgi?id=2021661)
- [ssh - ssh/tests_all_options.yml: "assertion": "'StdinNull yes' in config.content | b64decode ", failure](https://bugzilla.redhat.com/show_bug.cgi?id=2029614)
### Bug Fixes
- [timesync - timesync: Failure related to missing ntp/ntpd package/service on RHEL-9 host](https://bugzilla.redhat.com/show_bug.cgi?id=2029463)
- [logging - role missing quotes for immark module interval value](https://bugzilla.redhat.com/show_bug.cgi?id=2021678)
- [kdump - kdump: support reboot required and reboot ok](https://bugzilla.redhat.com/show_bug.cgi?id=2029605)
- [sshd - should detect FIPS mode and handle tasks correctly in FIPS mode](https://bugzilla.redhat.com/show_bug.cgi?id=1979714)
[1.10.0] - 2021-11-08
----------------------------
### New Features
- [cockpit - Please include "cockpit" role](https://bugzilla.redhat.com/show_bug.cgi?id=2021661)
- [firewall - Ansible Roles for RHEL Firewall](https://bugzilla.redhat.com/show_bug.cgi?id=1854988)
- [firewall - RFE: firewall-system-role: add ability to add-source](https://bugzilla.redhat.com/show_bug.cgi?id=1932678)
- [firewall - RFE: firewall-system-role: allow user defined zones](https://bugzilla.redhat.com/show_bug.cgi?id=1850768)
- [firewall - RFE: firewall-system-role: allow specifying the zone](https://bugzilla.redhat.com/show_bug.cgi?id=1850753)
- [Support ansible-core 2.11+](https://bugzilla.redhat.com/show_bug.cgi?id=2012316)
- [network - role: Allow to specify PCI address to configure profiles](https://bugzilla.redhat.com/show_bug.cgi?id=1695634)
- [network - [RFE] support wifi Enhanced Open (OWE)](https://bugzilla.redhat.com/show_bug.cgi?id=1993379)
- [network - [RFE] support WPA3 Simultaneous Authentication of Equals(SAE)](https://bugzilla.redhat.com/show_bug.cgi?id=1993311)
- [network - [Network] RFE: Support ignoring default gateway retrieved by DHCP/IPv6-RA](https://bugzilla.redhat.com/show_bug.cgi?id=1897565)
- [logging - [RFE] logging - Add user and password](https://bugzilla.redhat.com/show_bug.cgi?id=2010327)
### Bug Fixes
- [Replace `# {{ ansible_managed }}` with `{{ ansible_managed | comment }}`](https://bugzilla.redhat.com/show_bug.cgi?id=2006230)
- [logging - role missing quotes for immark module interval value](https://bugzilla.redhat.com/show_bug.cgi?id=2021678)
- [logging - Logging - Performance improvement](https://bugzilla.redhat.com/show_bug.cgi?id=2005727)
- [nbde_client - add regenerate-all to the dracut command](https://bugzilla.redhat.com/show_bug.cgi?id=2021682)
- [certificate - certificates: "group" option keeps certificates inaccessible to the group](https://bugzilla.redhat.com/show_bug.cgi?id=2021683)
[1.7.3] - 2021-08-26
----------------------------
### New Features
- [storage - RFE: Request that VDO be added to the Ansible (redhat-system-roles)](https://bugzilla.redhat.com/show_bug.cgi?id=1978488)
### Bug Fixes
- none
[1.7.2] - 2021-08-24
----------------------------
### New Features
- none
### Bug Fixes
- [logging - Update the certificates copy tasks](https://bugzilla.redhat.com/show_bug.cgi?id=1996777)
[1.7.1] - 2021-08-16
----------------------------
### New Features
- none
### Bug Fixes
- [metrics - role: the bpftrace role does not properly configure bpftrace agent](https://bugzilla.redhat.com/show_bug.cgi?id=1994180)
[1.7.0] - 2021-08-12
----------------------------
### New Features
- [drop support for Ansible 2.8](https://bugzilla.redhat.com/show_bug.cgi?id=1989197)
### Bug Fixes
- [sshd - sshd: failed to validate: error:Missing Match criteria for all Bad Match condition](https://bugzilla.redhat.com/show_bug.cgi?id=1991598)
[1.6.6] - 2021-08-06
----------------------------
### New Features
- [logging - [RFE] logging - Add a support for list value to server_host in the elasticsearch output](https://bugzilla.redhat.com/show_bug.cgi?id=1986460)
### Bug Fixes
- none
[1.6.2] - 2021-07-30
----------------------------
### New Features
- none
### Bug Fixes
- [metrics - role: Grafana dashboard not working after metrics role run unless services manually restarted](https://bugzilla.redhat.com/show_bug.cgi?id=1984150)
[1.6.0] - 2021-07-28
----------------------------
### New Features
- [storage - [RFE] storage: support volume sizes as a percentage of pool](https://bugzilla.redhat.com/show_bug.cgi?id=1984583)
### Bug Fixes
- none
[1.5.0] - 2021-07-15
----------------------------
### New Features
- [ha_cluster - RFE: ha_cluster - add pacemaker cluster properties configuration](https://bugzilla.redhat.com/show_bug.cgi?id=1982913)
### Bug Fixes
- none
[1.4.3] - 2021-07-15
----------------------------
### New Features
- [crypto_policies - rename 'policy modules' to 'subpolicies'](https://bugzilla.redhat.com/show_bug.cgi?id=1982896)
### Bug Fixes
- none
[1.4.2] - 2021-07-15
----------------------------
### New Features
- [storage - storage: relabel doesn't support](https://bugzilla.redhat.com/show_bug.cgi?id=1876315)
### Bug Fixes
- none
[1.4.1] - 2021-07-09
----------------------------
### New Features
- none
### Bug Fixes
- [network - Re-running the network system role results in "changed: true" when nothing has actually changed](https://bugzilla.redhat.com/show_bug.cgi?id=1943384)
[1.4.0] - 2021-07-08
----------------------------
### New Features
- [storage - RFE: Request that VDO be added to the Ansible (redhat-system-roles)](https://bugzilla.redhat.com/show_bug.cgi?id=1882475)
### Bug Fixes
- none
[1.3.0] - 2021-06-23
----------------------------
### New Features
- [ha_cluster - RFE: add pacemaker resources configuration](https://bugzilla.redhat.com/show_bug.cgi?id=1963283)
- [network - [Network] RFE: Support ignoring default gateway retrieved by DHCP/IPv6-RA](https://bugzilla.redhat.com/show_bug.cgi?id=1897565)
- [storage - RFE: Request that VDO be added to the Ansible (redhat-system-roles)](https://bugzilla.redhat.com/show_bug.cgi?id=1882475)
- [sshd - RFE: sshd - support for appending a snippet to configuration file](https://bugzilla.redhat.com/show_bug.cgi?id=1970642)
- [timesync - RFE: timesync support for Network Time Security (NTS)](https://bugzilla.redhat.com/show_bug.cgi?id=1970664)
### Bug Fixes
- [postfix - Postfix RHEL system role README.md missing variables under the "Role Variables" section](https://bugzilla.redhat.com/show_bug.cgi?id=1961858)
- [postfix - the postfix role is not idempotent](https://bugzilla.redhat.com/show_bug.cgi?id=1960375)
- [selinux - task for semanage says Fedora in name but also runs on RHEL/CentOS 8](https://bugzilla.redhat.com/show_bug.cgi?id=1966681)
- [metrics - role task to enable logging for targeted hosts not working](https://bugzilla.redhat.com/show_bug.cgi?id=1967335)
- [sshd ssh - Unable to set sshd_hostkey_group and sshd_hostkey_mode](https://bugzilla.redhat.com/show_bug.cgi?id=1966711)
[1.2.3] - 2021-06-17
----------------------------
### New Features
- [main.yml: Add EL 9 support for all roles](https://bugzilla.redhat.com/show_bug.cgi?id=1952887)
### Bug Fixes
- none
[1.2.2] - 2021-06-15
----------------------------
### New Features
- [timesync - Add hybrid_e2e option to PTP domain](https://bugzilla.redhat.com/show_bug.cgi?id=1957849)
### Bug Fixes
- [Internal links in README.md are broken](https://bugzilla.redhat.com/show_bug.cgi?id=1962976)
- [ha_cluster - cannot read preshared key in binary format](https://bugzilla.redhat.com/show_bug.cgi?id=1952620)
[1.2.1] - 2021-05-21
----------------------------
### New Features
- none
### Bug Fixes
- [Internal links in README.md are broken](https://bugzilla.redhat.com/show_bug.cgi?id=1962976)
[1.2.0] - 2021-05-17
----------------------------
### New Features
- [network - role: Support ethtool -G|--set-ring options](https://bugzilla.redhat.com/show_bug.cgi?id=1959649)
### Bug Fixes
- [postfix - postfix: Use FQRN in README](https://bugzilla.redhat.com/show_bug.cgi?id=1958963)
- [postfix - Documentation error in rhel-system-roles postfix readme file](https://bugzilla.redhat.com/show_bug.cgi?id=1866544)
- [storage - storage: calltrace observed when set type: partition for storage_pools](https://bugzilla.redhat.com/show_bug.cgi?id=1854187)
[1.1.0] - 2021-05-13
----------------------------
### New Features
- [timesync - [RFE] support for free form configuration for chrony](https://bugzilla.redhat.com/show_bug.cgi?id=1938023)
- [timesync - [RFE] support for timesync_max_distance to configure maxdistance/maxdist parameter](https://bugzilla.redhat.com/show_bug.cgi?id=1938016)
- [timesync - [RFE] support for ntp xleave, filter, and hw timestamping](https://bugzilla.redhat.com/show_bug.cgi?id=1938020)
- [selinux - [RFE] Ability to install custom SELinux module via Ansible](https://bugzilla.redhat.com/show_bug.cgi?id=1848683)
- [network - support for ipv6_disabled to disable ipv6 for address](https://bugzilla.redhat.com/show_bug.cgi?id=1939711)
- [vpn - [RFE] Release Ansible role for vpn in rhel-system-roles](https://bugzilla.redhat.com/show_bug.cgi?id=1943679)
### Bug Fixes
- [Bug fixes for Collection/Automation Hub](https://bugzilla.redhat.com/show_bug.cgi?id=1954747)
- [timesync - do not use ignore_errors in timesync role](https://bugzilla.redhat.com/show_bug.cgi?id=1938014)
- [selinux - rhel-system-roles should not reload the SELinux policy if its not changed](https://bugzilla.redhat.com/show_bug.cgi?id=1757869)
[1.0.0] - 2021-02-23
----------------------------
### New Features
- [network - RFE: [network] Support of DNS with options](https://bugzilla.redhat.com/show_bug.cgi?id=1893959)
- [network - RFE: [network] Embrace Inclusive language](https://bugzilla.redhat.com/show_bug.cgi?id=1893957)
- [ssh - [8.4] [RFE] Release Ansible role for ssh client in rhel-system-roles](https://bugzilla.redhat.com/show_bug.cgi?id=1893712)
- [clusterha - [8.4] [RFE] Release Ansible role for cluster HA in rhel-system-roles](https://bugzilla.redhat.com/show_bug.cgi?id=1893743)
- [logging - Logging - Support RELP secure transport in the logging role configuration](https://bugzilla.redhat.com/show_bug.cgi?id=1889484)
- [metrics - [8.4] [RFE] add exporting-metric-data-to-elasticsearch functionality in the metrics role](https://bugzilla.redhat.com/show_bug.cgi?id=1895188)
- [metrics - release SQL server configuration support in the metrics role](https://bugzilla.redhat.com/show_bug.cgi?id=1893908)
- [[8.4] Package rhel-system-roles in the collection format in addition to the legacy role format](https://bugzilla.redhat.com/show_bug.cgi?id=1893906)
### Bug Fixes
- [logging - Logging - Integrating ELK with RHV-4.4 fails as RHVH is missing 'rsyslog-gnutls' package.](https://bugzilla.redhat.com/show_bug.cgi?id=1927943)
- [storage - storage: omitted parameters on existing pool/volume is interpreted as "use the default"](https://bugzilla.redhat.com/show_bug.cgi?id=1894651)
- [storage - storage: must list disks in order to identify an existing pool](https://bugzilla.redhat.com/show_bug.cgi?id=1894676)
- [storage - storage: pool metadata usage must be accounted for by the user](https://bugzilla.redhat.com/show_bug.cgi?id=1894647)
- [selinux - Merged fix incorrect default value (there is no variable named "present")](https://bugzilla.redhat.com/show_bug.cgi?id=1926947)
- [storage - storage: tests_luks.yml partition case failed with nvme disk](https://bugzilla.redhat.com/show_bug.cgi?id=1865990)
[1.0] - 2021-01-15
----------------------------
### New Features
- [tlog - Add exclude_users and exclude_groups support](https://bugzilla.redhat.com/show_bug.cgi?id=1895472)
- [crypto_policies - [8.4] [RFE] Release Ansible role for crypto policies in rhel-system-roles](https://bugzilla.redhat.com/show_bug.cgi?id=1893699)
- [sshd - [8.4] [RFE] Release Ansible role for sshd in rhel-system-roles](https://bugzilla.redhat.com/show_bug.cgi?id=1893696)
- [metrics - role should automate the setup of Grafana datasources](https://bugzilla.redhat.com/show_bug.cgi?id=1855544)
- [network role: Support -K|--features|--offload ethtool options](https://bugzilla.redhat.com/show_bug.cgi?id=1696703)
- [network role: Atomic changes](https://bugzilla.redhat.com/show_bug.cgi?id=1695161)
### Bug Fixes
- [storage - safe mode of storage role does not prevent accidentally losing data when toggling encryption on a volume, disk or pool](https://bugzilla.redhat.com/show_bug.cgi?id=1881524)
- [storage - storage: ext2/3/4 resize function doesn't work](https://bugzilla.redhat.com/show_bug.cgi?id=1862867)
- [logging - [logging role] cannot setup machine with tls](https://bugzilla.redhat.com/show_bug.cgi?id=1861318)
- [certificate - role: The role is not idempotent in rhel7](https://bugzilla.redhat.com/show_bug.cgi?id=1859547)
- [logging - Logging - Bug fixes](https://bugzilla.redhat.com/show_bug.cgi?id=1854546)
- [logging - [logging role] support scenario for client without key/cert, just CA cert](https://bugzilla.redhat.com/show_bug.cgi?id=1860896)
- [metrics - role incorrectly sets up multiple primary pmie processes in multi-host mode](https://bugzilla.redhat.com/show_bug.cgi?id=1855539)
- [certificate - role cannot manage EL7 hosts](https://bugzilla.redhat.com/show_bug.cgi?id=1848745)
- [network - [network] Support state:down persistent_state:absent for non-existent profile](https://bugzilla.redhat.com/show_bug.cgi?id=1822777)
- [network - Creating active bonded interface fails with the initscripts provider](https://bugzilla.redhat.com/show_bug.cgi?id=1848472)
- [logging - Logging role had performance issues](https://bugzilla.redhat.com/show_bug.cgi?id=1848762)
- [certificate - role does not work on controller hosts which use jinja2 2.10](https://bugzilla.redhat.com/show_bug.cgi?id=1848742)
- [nbde_client - fix idempotency, check_mode issues with nbde_client role](https://bugzilla.redhat.com/show_bug.cgi?id=1848766)
- [storage - Storage role can remove existing filesystems and volume groups without warning](https://bugzilla.redhat.com/show_bug.cgi?id=1763242)
- [network role: Minimize service disruption](https://bugzilla.redhat.com/show_bug.cgi?id=1695157)
- [typo in selinux/tests/tests_selinux_disabled.yml: Invalid options for assert: mgs](https://bugzilla.redhat.com/show_bug.cgi?id=1677743)
- [Check mode problems in rhel-system-roles](https://bugzilla.redhat.com/show_bug.cgi?id=1685904)
[0.6] - 2018-05-11
----------------------------
### New Features
- [RFE: Ansible rhel-system-roles.network: add ETHTOOL_OPTS, LINKDELAY, IPV4_FAILURE_FATAL](https://bugzilla.redhat.com/show_bug.cgi?id=1478576)
### Bug Fixes
- none

View File

@ -1,428 +0,0 @@
From e3004a25d680a17852ade20fa7438b5d4acfc470 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Wed, 6 Apr 2022 10:42:17 +0200
Subject: [PATCH 1/7] Update templates to apply FIPS hostkeys filter
This fixes up the commit 7f69d1e6
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
templates/sshd_config.j2 | 6 +++++-
templates/sshd_config_snippet.j2 | 6 +++++-
2 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/templates/sshd_config.j2 b/templates/sshd_config.j2
index 15ee668..8c7f322 100644
--- a/templates/sshd_config.j2
+++ b/templates/sshd_config.j2
@@ -22,7 +22,11 @@
{% elif sshd[key] is defined %}
{% set value = sshd[key] %}
{% elif __sshd_defaults[key] is defined and not sshd_skip_defaults %}
-{% set value = __sshd_defaults[key] %}
+{% if key == 'HostKey' and __sshd_fips_mode %}
+{% set value = __sshd_defaults[key] | difference(__sshd_hostkeys_nofips) %}
+{% else %}
+{% set value = __sshd_defaults[key] %}
+{% endif %}
{% endif %}
{{ render_option(key,value) -}}
{% endmacro %}
diff --git a/templates/sshd_config_snippet.j2 b/templates/sshd_config_snippet.j2
index 6766e09..6b23c76 100644
--- a/templates/sshd_config_snippet.j2
+++ b/templates/sshd_config_snippet.j2
@@ -21,7 +21,11 @@
{% elif sshd[key] is defined %}
{% set value = sshd[key] %}
{% elif __sshd_defaults[key] is defined and not sshd_skip_defaults %}
-{% set value = __sshd_defaults[key] %}
+{% if key == 'HostKey' and __sshd_fips_mode %}
+{% set value = __sshd_defaults[key] | difference(__sshd_hostkeys_nofips) %}
+{% else %}
+{% set value = __sshd_defaults[key] %}
+{% endif %}
{% endif %}
{{ render_option(key,value) -}}
{% endmacro %}
--
2.34.1
From 8ee135cbd9ea63e4345a5ec618d64d14f6b03eee Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Wed, 6 Apr 2022 11:10:27 +0200
Subject: [PATCH 2/7] Set explicit path to the main configuration file to work
well with the drop-in directory
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
tests/tests_alternative_file.yml | 2 ++
tests/tests_alternative_file_role.yml | 2 ++
2 files changed, 4 insertions(+)
diff --git a/tests/tests_alternative_file.yml b/tests/tests_alternative_file.yml
index 0a8ccaf..215c726 100644
--- a/tests/tests_alternative_file.yml
+++ b/tests/tests_alternative_file.yml
@@ -6,6 +6,7 @@
- /etc/ssh/sshd_config.d/00-ansible_system_role.conf
- /etc/ssh/sshd_config_custom
- /etc/ssh/sshd_config_custom_second
+ - /tmp/ssh_host_ecdsa_key
tasks:
- name: "Backup configuration files"
include_tasks: tasks/backup.yml
@@ -52,6 +53,7 @@
include_role:
name: ansible-sshd
vars:
+ sshd_config_file: /etc/ssh/sshd_config
sshd:
Banner: /etc/issue
Ciphers: aes192-ctr
diff --git a/tests/tests_alternative_file_role.yml b/tests/tests_alternative_file_role.yml
index 9177709..3e7c7ea 100644
--- a/tests/tests_alternative_file_role.yml
+++ b/tests/tests_alternative_file_role.yml
@@ -6,6 +6,7 @@
- /etc/ssh/sshd_config.d/00-ansible_system_role.conf
- /etc/ssh/sshd_config_custom
- /etc/ssh/sshd_config_custom_second
+ - /tmp/ssh_host_ecdsa_key
tasks:
- name: "Backup configuration files"
include_tasks: tasks/backup.yml
@@ -57,6 +58,7 @@
roles:
- ansible-sshd
vars:
+ sshd_config_file: /etc/ssh/sshd_config
sshd:
Banner: /etc/issue
Ciphers: aes192-ctr
--
2.34.1
From 041e86952d14b5c90795fb553e7ba942d541a6b3 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Wed, 6 Apr 2022 11:17:12 +0200
Subject: [PATCH 3/7] tests: Fix OS detection to match also CentOS 9
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
tests/tasks/setup.yml | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/tests/tasks/setup.yml b/tests/tasks/setup.yml
index 90a3f00..a0e9324 100644
--- a/tests/tasks/setup.yml
+++ b/tests/tasks/setup.yml
@@ -26,6 +26,5 @@
main_sshd_config_name: 00-ansible_system_role.conf
main_sshd_config_path: /etc/ssh/sshd_config.d/
when: >
- ansible_facts['distribution'] == 'Fedora' or
- (ansible_facts['distribution'] == 'RedHat' and
- ansible_facts['distribution_major_version']|int > 8)
+ ansible_facts['os_family'] == 'RedHat' and
+ ansible_facts['distribution_major_version']|int > 8
--
2.34.1
From e33f2f5bb874aa786ac0c81e8ef63509033f6644 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Wed, 6 Apr 2022 11:20:34 +0200
Subject: [PATCH 4/7] tests: Slurp the correct file when writing main config
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
tests/tests_alternative_file.yml | 2 +-
tests/tests_alternative_file_role.yml | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/tests/tests_alternative_file.yml b/tests/tests_alternative_file.yml
index 215c726..172c73a 100644
--- a/tests/tests_alternative_file.yml
+++ b/tests/tests_alternative_file.yml
@@ -82,7 +82,7 @@
- name: Print the main configuration file
slurp:
- src: "{{ main_sshd_config }}"
+ src: /etc/ssh/sshd_config
register: config3
- name: Check content of first configuration file
diff --git a/tests/tests_alternative_file_role.yml b/tests/tests_alternative_file_role.yml
index 3e7c7ea..09fbce4 100644
--- a/tests/tests_alternative_file_role.yml
+++ b/tests/tests_alternative_file_role.yml
@@ -98,7 +98,7 @@
- name: Print the main configuration file
slurp:
- src: "{{ main_sshd_config }}"
+ src: /etc/ssh/sshd_config
register: config3
- name: Check content of first configuration file
--
2.34.1
From 8d91dcecd000e7843ad9e827c3d2e6e04ce05e8d Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Wed, 6 Apr 2022 20:28:32 +0200
Subject: [PATCH 5/7] Unbreak FIPS detection and hostkey filtering
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
tasks/install.yml | 15 ++++++++-------
1 file changed, 8 insertions(+), 7 deletions(-)
diff --git a/tasks/install.yml b/tasks/install.yml
index f1d8455..571281c 100644
--- a/tasks/install.yml
+++ b/tasks/install.yml
@@ -40,10 +40,11 @@
- name: Make sure hostkeys are available and have expected permissions
vars: &share_vars
+ # 'MAo=' evaluates to '0\n' in base 64 encoding, which is default
__sshd_fips_mode: >-
- - __sshd_hostkeys_nofips | d([])
- - __sshd_kernel_fips_mode.content | b64decode == "1" | bool or \
- __sshd_userspace_fips_mode.content | b64decode != "0" | bool
+ {{ __sshd_hostkeys_nofips | d([]) and
+ (__sshd_kernel_fips_mode.content | d('MAo=') | b64decode | trim == '1' or
+ __sshd_userspace_fips_mode.content | d('MAo=') | b64decode | trim != '0') }}
# This mimics the macro body_option() in sshd_config.j2
# The explicit to_json filter is needed for Python 2 compatibility
__sshd_hostkeys_from_config: >-
@@ -58,14 +59,14 @@
{{ __sshd_defaults['HostKey'] | to_json }}
{% endif %}
{% else %}
- []
+ {{ [] | to_json }}
{% endif %}
__sshd_verify_hostkeys: >-
{% if not sshd_verify_hostkeys %}
- []
+ {{ [] | to_json }}
{% elif sshd_verify_hostkeys == 'auto' %}
- {% if sshd_HostKey is string %}
- [ {{ __sshd_hostkeys_from_config }} ]
+ {% if __sshd_hostkeys_from_config | from_json is string %}
+ {{ [ __sshd_hostkeys_from_config | from_json ] | to_json }}
{% else %}
{{ __sshd_hostkeys_from_config }}
{% endif %}
--
2.34.1
From d839fb207e29cbbbc1d256260190f113c332ecba Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Mon, 11 Apr 2022 13:06:24 +0200
Subject: [PATCH 6/7] tests: Add negative test for FIPS mode
This fixes also a typo that was overlooked previously
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
tests/tests_hostkeys_fips.yml | 53 ++++++++++++++++++++++++++++++-----
1 file changed, 46 insertions(+), 7 deletions(-)
diff --git a/tests/tests_hostkeys_fips.yml b/tests/tests_hostkeys_fips.yml
index 65cc765..7cf3767 100644
--- a/tests/tests_hostkeys_fips.yml
+++ b/tests/tests_hostkeys_fips.yml
@@ -4,13 +4,52 @@
__sshd_test_backup_files:
- /etc/ssh/sshd_config
- /etc/ssh/sshd_config.d/00-ansible_system_role.conf
- - /etc/ssh/ssh_host_ed255519_key
- - /etc/ssh/ssh_host_ed255519_key.pub
+ - /etc/ssh/ssh_host_ed25519_key
+ - /etc/ssh/ssh_host_ed25519_key.pub
- /etc/system-fips
tasks:
- name: "Backup configuration files"
include_tasks: tasks/backup.yml
+ - name: Run the role with default parameters without FIPS mode
+ include_role:
+ name: ansible-sshd
+
+ - name: Verify the options are correctly set
+ block:
+ - meta: flush_handlers
+
+ - name: Print current configuration file
+ slurp:
+ src: "{{ main_sshd_config }}"
+ register: config
+
+ - name: Get stat of private key
+ stat:
+ path: /etc/ssh/ssh_host_ed25519_key
+ register: privkey
+
+ - name: Get stat of public key
+ stat:
+ path: /etc/ssh/ssh_host_ed25519_key.pub
+ register: pubkey
+
+ - name: Check the key is in configuration file (without include)
+ assert:
+ that:
+ - "'HostKey /etc/ssh/ssh_host_ed25519_key' in config.content | b64decode"
+ when:
+ - ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version']|int < 9
+
+ - name: Check host key was generated
+ assert:
+ that:
+ - privkey.stat.exists
+ - pubkey.stat.exists
+ when:
+ - ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version']|int > 6
+ tags: tests::verify
+
- name: Fake FIPS mode
block:
- name: Create temporary directory
@@ -40,13 +79,13 @@
- name: Remove the Ed25519 hostkey
file:
path:
- /etc/ssh/ssh_host_ed255519_key
+ /etc/ssh/ssh_host_ed25519_key
state: absent
- name: Remove the Ed25519 pubkey
file:
path:
- /etc/ssh/ssh_host_ed255519_key.pub
+ /etc/ssh/ssh_host_ed25519_key.pub
state: absent
- name: Run the role with default parameters
@@ -64,18 +103,18 @@
- name: Get stat of private key
stat:
- path: /etc/ssh/ssh_host_ed255519_key
+ path: /etc/ssh/ssh_host_ed25519_key
register: privkey
- name: Get stat of public key
stat:
- path: /etc/ssh/ssh_host_ed255519_key.pub
+ path: /etc/ssh/ssh_host_ed25519_key.pub
register: pubkey
- name: Check the key is not in configuration file
assert:
that:
- - "'HostKey /etc/ssh/ssh_host_ed255519_key' not in config.content | b64decode"
+ - "'HostKey /etc/ssh/ssh_host_ed25519_key' not in config.content | b64decode"
- name: Check no host key was generated
assert:
--
2.34.1
From 2a49697fa4bb6281796e76a4b7ee34c356f802cc Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Mon, 11 Apr 2022 13:07:44 +0200
Subject: [PATCH 7/7] Introduce default hostkeys to check when using drop-in
directory
Previously no hostkeys were checked if they were not present
in the generated configuration file. When the drop-in directory is
used, usually, there are no hostkeys in that file and no sanity
check for hostkeys was executed.
This amends the "auto" value for the hostkeys check to allow checking
for default hostkeys that are read by OpenSSH by default.
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
defaults/main.yml | 1 +
tasks/install.yml | 8 +++++++-
vars/Fedora.yml | 6 ++++++
vars/RedHat_9.yml | 6 ++++++
4 files changed, 20 insertions(+), 1 deletion(-)
diff --git a/defaults/main.yml b/defaults/main.yml
index 18d6114..7e40e51 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -61,6 +61,7 @@ sshd_sftp_server: /usr/lib/openssh/sftp-server
# configuration or restarting), we make sure the keys exist and have correct
# permissions. To disable this check, set sshd_verify_hostkeys to false
sshd_verify_hostkeys: "auto"
+__sshd_verify_hostkeys_default: []
sshd_hostkey_owner: "{{ __sshd_hostkey_owner }}"
sshd_hostkey_group: "{{ __sshd_hostkey_group }}"
sshd_hostkey_mode: "{{ __sshd_hostkey_mode }}"
diff --git a/tasks/install.yml b/tasks/install.yml
index 571281c..fa7d3c3 100644
--- a/tasks/install.yml
+++ b/tasks/install.yml
@@ -65,7 +65,13 @@
{% if not sshd_verify_hostkeys %}
{{ [] | to_json }}
{% elif sshd_verify_hostkeys == 'auto' %}
- {% if __sshd_hostkeys_from_config | from_json is string %}
+ {% if not __sshd_hostkeys_from_config | from_json %}
+ {% if __sshd_fips_mode %}
+ {{ __sshd_verify_hostkeys_default | difference(__sshd_hostkeys_nofips) | to_json }}
+ {% else %}
+ {{ __sshd_verify_hostkeys_default | to_json }}
+ {% endif %}
+ {% elif __sshd_hostkeys_from_config | from_json is string %}
{{ [ __sshd_hostkeys_from_config | from_json ] | to_json }}
{% else %}
{{ __sshd_hostkeys_from_config }}
diff --git a/vars/Fedora.yml b/vars/Fedora.yml
index 77bf172..cf2b081 100644
--- a/vars/Fedora.yml
+++ b/vars/Fedora.yml
@@ -9,5 +9,11 @@ sshd_sftp_server: /usr/libexec/openssh/sftp-server
__sshd_config_file: /etc/ssh/sshd_config.d/00-ansible_system_role.conf
__sshd_defaults:
__sshd_os_supported: yes
+__sshd_verify_hostkeys_default:
+ - /etc/ssh/ssh_host_rsa_key
+ - /etc/ssh/ssh_host_ecdsa_key
+ - /etc/ssh/ssh_host_ed25519_key
+__sshd_hostkeys_nofips:
+ - /etc/ssh/ssh_host_ed25519_key
__sshd_hostkey_group: ssh_keys
__sshd_hostkey_mode: "0640"
diff --git a/vars/RedHat_9.yml b/vars/RedHat_9.yml
index 33df26a..55239f4 100644
--- a/vars/RedHat_9.yml
+++ b/vars/RedHat_9.yml
@@ -9,5 +9,11 @@ sshd_sftp_server: /usr/libexec/openssh/sftp-server
__sshd_config_file: /etc/ssh/sshd_config.d/00-ansible_system_role.conf
__sshd_defaults:
__sshd_os_supported: yes
+__sshd_verify_hostkeys_default:
+ - /etc/ssh/ssh_host_rsa_key
+ - /etc/ssh/ssh_host_ecdsa_key
+ - /etc/ssh/ssh_host_ed25519_key
+__sshd_hostkeys_nofips:
+ - /etc/ssh/ssh_host_ed25519_key
__sshd_hostkey_group: ssh_keys
__sshd_hostkey_mode: "0640"
--
2.34.1

View File

View File

@ -30,8 +30,8 @@ Name: linux-system-roles
%endif
Url: https://github.com/linux-system-roles
Summary: Set of interfaces for unified system management
Version: 1.16.2
Release: 1%{?dist}.3
Version: 1.20.1
Release: 1%{?dist}
#Group: Development/Libraries
License: GPLv3+ and MIT and BSD and Python
@ -127,85 +127,85 @@ BuildRequires: %{ansible_build_dep}
#%%defcommit 1 14314822b529520ac12964e0d2938c4bb18ab895
%global rolename1 postfix
%deftag 1 1.2.0
%deftag 1 1.2.4
#%%defcommit 2 9fe6eb36772e83b53dcfb8ceb73608fd4f72eeda
%global rolename2 selinux
%deftag 2 1.3.4
%deftag 2 1.4.0
#%%defcommit 3 cbe4bf262bffae3bf53e531662237741954c4182
%global rolename3 timesync
%deftag 3 1.6.6
%deftag 3 1.6.9
#%%defcommit 4 02fc72b482e165472624b2f68eecd2ddce1d93b1
%global rolename4 kdump
%deftag 4 1.2.2
%deftag 4 1.2.5
#%%defcommit 5 61423ed36fc6da6dbe8321912e896c59a2d8e2f6
#%%defcommit 5 a74092634adfe45f76cf761138abab1811692b4b
%global rolename5 network
%deftag 5 1.7.1
%deftag 5 1.9.1
#%%defcommit 6 50d2b8ccc98a8f4cb9d1d550d21adc227181e9fa
%global rolename6 storage
%deftag 6 1.7.0
%deftag 6 1.9.1
#%%defcommit 7 d57caa8ca506d8cbc7ca0f96f7cb62b7e965f163
%global rolename7 metrics
%deftag 7 1.5.1
%deftag 7 1.7.3
#%%defcommit 8 2b9e53233ee3a68bdb532e62f289733e436a6106
%global rolename8 tlog
%deftag 8 1.2.6
%deftag 8 1.2.9
#%%defcommit 9 9373303b98e09ef38df7afc8d06e5e55812096c7
%global rolename9 kernel_settings
%deftag 9 1.1.6
%deftag 9 1.1.10
#%%defcommit 10 20dd3e5520ca06dcccaa9b3f1fb428d055e0c23f
%global rolename10 logging
%deftag 10 1.8.1
%deftag 10 1.10.0
#%%defcommit 11 c57d0b1f3384c525738fa26ba4bdca485e162567
%global rolename11 nbde_server
%deftag 11 1.1.2
%deftag 11 1.1.5
#%%defcommit 12 bef2fad5e365712d1f40e53662490ba2550a253f
%global rolename12 nbde_client
%deftag 12 1.2.2
%deftag 12 1.2.6
#%%defcommit 13 310fc53db04e8d3134524afb7a89b0477a2ffb83
%global rolename13 certificate
%deftag 13 1.1.3
%deftag 13 1.1.6
#%%defcommit 14 b2a9857ac661fa32e66666e444b73bfdb34cdf95
%global rolename14 crypto_policies
%deftag 14 1.2.3
%deftag 14 1.2.6
%global forgeorg15 https://github.com/willshersystems
%global repo15 ansible-sshd
%global rolename15 sshd
%defcommit 15 214df35c0bee77b5d69f49c2da269251d451b28f
#%%deftag 15 v0.14.1
%defcommit 15 9766d9097a87a130d4c8abde2247aaad5c925ecf
#%%deftag 15 v0.15.1
#%%defcommit 16 59b9fd7b25607d8bd33bdb082748955f2652846a
%global rolename16 ssh
%deftag 16 1.1.4
%deftag 16 1.1.9
#%%defcommit 17 f901239cb91878719c9e7461760ef8d4789d626d
%global rolename17 ha_cluster
%deftag 17 1.4.1
%deftag 17 1.7.4
#%%defcommit 18 5f6cb73e6753fbdbb219b7d3079f0378b2d3bdb3
%global rolename18 vpn
%deftag 18 1.3.2
%deftag 18 1.3.5
%global rolename19 firewall
%deftag 19 1.1.0
%deftag 19 1.4.0
%global rolename20 cockpit
%deftag 20 1.2.1
%deftag 20 1.3.0
%global mainid 5e7bb389fc5e93184871b3907e75ba896874dc21
%global mainid c22eff88d40972158cd5c413b7468b4e904cc76c
Source: %{url}/auto-maintenance/archive/%{mainid}/auto-maintenance-%{mainid}.tar.gz
Source1: %{archiveurl1}
Source2: %{archiveurl2}
@ -230,11 +230,18 @@ Source20: %{archiveurl20}
# Collection tarballs from Automation Hub
# Not used on Fedora.
Source801: ansible-posix-1.3.0.tar.gz
Source801: ansible-posix-1.4.0.tar.gz
# Collection tarballs from Galaxy
# Not used on Fedora.
Source901: community-general-4.6.0.tar.gz
Source901: community-general-5.4.0.tar.gz
# changelog is auto generated on Fedora